diff options
author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-06-22 14:26:15 +0200 |
---|---|---|
committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-06-22 14:26:15 +0200 |
commit | 345a8534ff39cc9550cbacabe2b3fffe20293508 (patch) | |
tree | 67c2deb3c10d00ecb758a162c4ff88221b7e3741 /BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java | |
parent | f31c5c8e557b611ff4f5e43443975fb08a202863 (diff) | |
download | mocca-345a8534ff39cc9550cbacabe2b3fffe20293508.tar.gz mocca-345a8534ff39cc9550cbacabe2b3fffe20293508.tar.bz2 mocca-345a8534ff39cc9550cbacabe2b3fffe20293508.zip |
implement a workaround to fix XXE and SSRF problems in an old XMLStreamParser implementation of a third party library
Diffstat (limited to 'BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java')
-rw-r--r-- | BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java new file mode 100644 index 00000000..8901969d --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java @@ -0,0 +1,72 @@ +package at.gv.egiz.bku.online.filter; + +import java.io.BufferedReader; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStreamReader; + +import javax.servlet.ReadListener; +import javax.servlet.ServletInputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; + +import org.apache.commons.io.IOUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + + +import at.gv.egiz.bku.binding.HttpUtil; + + +public class MoccaHttpServletRequestWrapper extends HttpServletRequestWrapper { + + private static Logger log = LoggerFactory.getLogger(MoccaHttpServletRequestWrapper.class); + + private final byte[] body; + private final String charset; + + public MoccaHttpServletRequestWrapper(HttpServletRequest request) throws IOException { + super(request); + + String ct = request.getHeader(HttpUtil.HTTP_HEADER_CONTENT_TYPE.toLowerCase()); + charset = HttpUtil.getCharset(ct, true); + + byte[] result = null; + try { + result = IOUtils.toByteArray(request.getReader(), charset); + + } catch (IOException e) { + log.error("Can not copy input stream!!!!!", e); + throw new IOException("Can not copy input stream!!!!!", e); + + } finally { + body = result; + + } + } + + public boolean isInputStreamAvailable() { + return (body != null && body.length > 0); + + } + + @Override + public BufferedReader getReader() throws IOException { + return new BufferedReader(new InputStreamReader(getInputStream(), charset)); + + } + + @Override + public ServletInputStream getInputStream() throws IOException { + final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(body); + return new ServletInputStream() { + + @Override + public int read() throws IOException { + return byteArrayInputStream.read(); + } + + }; + + } +} |